© 2012 ibm corporation information management gobierno de la información: soluciones para la...
TRANSCRIPT
© 2012 IBM Corporation
Information Management
Gobierno de la información: soluciones para la Integridad seguridad y auditabilidad de sus datos
Fernando Tamagnini - Data Governance SSA - Specialist
September 2012
© 2012 IBM Corporation
Information Management
2
Worldwide regulations focus attention on data security concerns
Canada: Personal Information Protection
& Electronics Document Act
Canada: Personal Information Protection
& Electronics Document Act
USA: Federal, Financial & Healthcare
Industry Regulations & State Laws
USA: Federal, Financial & Healthcare
Industry Regulations & State Laws
Mexico:E-Commerce Law
Mexico:E-Commerce Law
Colombia:Political Constitution –
Article 15
Colombia:Political Constitution –
Article 15
Brazil:Constitution, Habeas Data & Code of Consumer Protection
& Defense
Brazil:Constitution, Habeas Data & Code of Consumer Protection
& Defense
Chile:Protection of
Personal Data Act
Chile:Protection of
Personal Data Act
Argentina:Habeas Data Act
Argentina:Habeas Data Act
South Africa:Promotion of Access
to Information Act
South Africa:Promotion of Access
to Information Act
United Kingdom: Data Protection
Act
United Kingdom: Data Protection
Act
EU:ProtectionDirective
EU:ProtectionDirective
Switzerland:Federal Law onData Protection
Switzerland:Federal Law onData Protection
Germany:Federal Data Protection
Act & State Laws
Germany:Federal Data Protection
Act & State Laws
Poland:Polish
Constitution
Poland:Polish
Constitution
Israel:Protection ofPrivacy Law
Israel:Protection ofPrivacy Law
Pakistan:Banking Companies
Ordinance
Pakistan:Banking Companies
Ordinance
Russia:Computerization & Protection of Information
/ Participation in Int’l Info Exchange
Russia:Computerization & Protection of Information
/ Participation in Int’l Info Exchange
China Commercial Banking Law
China Commercial Banking Law
Korea: 3 Acts for Financial
Data Privacy
Korea: 3 Acts for Financial
Data Privacy
Hong Kong: Privacy Ordinance
Hong Kong: Privacy Ordinance
Taiwan:Computer- Processed
Personal Data Protection Law
Taiwan:Computer- Processed
Personal Data Protection LawJapan:
Guidelines for theProtection of Computer
Processed Personal Data
Japan:Guidelines for the
Protection of ComputerProcessed Personal Data
India:SEC Board of
India Act
India:SEC Board of
India Act
Vietnam:Banking Law
Vietnam:Banking Law
Philippines:Secrecy of Bank
Deposit Act
Philippines:Secrecy of Bank
Deposit ActAustralia:
Federal PrivacyAmendment Bill
Australia:Federal PrivacyAmendment Bill
Singapore:Monetary Authority of
Singapore Act
Singapore:Monetary Authority of
Singapore Act
Indonesia:Bank SecrecyRegulation 8
Indonesia:Bank SecrecyRegulation 8
New Zealand:Privacy Act
New Zealand:Privacy Act
2
Uruguay:Habeas Data
Ley18.331
Uruguay:Habeas Data
Ley18.331
© 2012 IBM Corporation
Information Management
3
Database servers are the primary source of breached dataFocus limited resources on the most threatened data source
It’s really not surprising that servers seem to have a lock on first place when it comes to the types of assets impacted by data breaches. They store and process data, and that fact isn’t lost on data thieves.“
Categories of compromised assets by percent of breaches and percent of records
Sources: Verizon Business Data Breach Investigations Report 2011
Servers
User Devices
People
Offline data
Network infrastructure
Unknown
64% / 94%
60% / 35%
7% / 34%
3% / <1%
<1% / <1%
1% / 1%
© 2012 IBM Corporation
Information Management
4
Initial Attack to Initial Compromise 10% 12% 2% 0% 1% 0%
Initial Compromise to Data Exfiltration
8%
38%
14%25%
8% 8%0%
Initial Compromise to Discovery
0% 0% 2%13%
29%
54%+
2%
Discovery to Containment / Restoration
0% 1% 9%
32%38%
17%4%
Seconds Minutes Hours Days Weeks Months Years
75%
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Organizations are slow to respond to database attacks
© 2012 IBM Corporation
Information Management
5
What’s the risk? Failure to comply leads to data breaches
Hackers obtained credit card information on 1.5 million users April 2012: Cost to contain the breach tens of millions of dollars
SQL Injection Campaign Infects 1 Million Web Pages January 2012: Attacker takes full control of operating system, database and Web application
Unprotected test data misused by third-party consultantsFebruary 2009: Vendor exposes PII of 45,000+ employees
Utah Health data breach affects nearly 800,000April 2012: Joint effort between hackers and insiders
© 2012 IBM Corporation
Information Management
6
Success requires governance across the “Information Supply Chain”
Information Governance
Govern
Quality Security & Privacy
Lifecycle Standards
Transactional & Collaborative Applications
Business Analytics Applications
External Information Sources
Analyze
Integrate
ManageCubes
Big Data Master Data
Content
Data
StreamingInformation
Data Warehouses
ContentAnalytics
© 2012 IBM Corporation
Information Management
7
Are there ways around your security policies? Requirements for data security and compliance
Executives need to: – Lower the cost of compliance– Avoid audits and fines from regulatory bodies– Maintain customer satisfaction & brand image
Data security/privacy analysts need to: – Understand what data exists– Implement policies based on roles or LOB– Protect against internal and external threats – Avoid using confidential data for
nonproduction– Mitigate vulnerabilities in the data center– Respond in real time to suspicious activities
© 2012 IBM Corporation
Information Management
8
Holistic approach to data security and compliance
Define policies & metrics
De-identify confidential data in non-production
environments
Assess database vulnerabilities
Classify & define data types
Fully redacted unstructured data
Monitor and enforce review of policy exceptions
Discover where sensitive data resides
Protect enterprise data from authorized &
unauthorized access
Audit and report for compliance
Understand &Define
Secure &Protect
Monitor & Audit
Information Governance Core DisciplinesSecurity and Privacy
A data security strategy should include database auditing and monitoring, patch management, data masking, access control, discovery/classification, and change management.“ -- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011
© 2012 IBM Corporation
Information Management
9
???
??
??
?
????
?
?
?
?
?
?
??
?
??
?
??
?
?
?
?
• Locate and inventory data sources across the enterprise
• Identify sensitive data and classify
• Understand relationships
• Centrally document security policies and propagate across the data lifecycle
Understand and define your distributed data landscape
Secure &Protect
Monitor & AuditUnderstand &
Define
Information Governance Core DisciplinesSecurity and Privacy
Start with discovery, classification, and building policies and implementing data security controls.
-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011“
© 2012 IBM Corporation
Information Management
10
Discover how data is related and where sensitive data may be hidden
Secure &Protect
Monitor & AuditUnderstand &
Define
Information Governance Core DisciplinesSecurity and Privacy
Patient Result Test3802468 N 534182715 N 534600986 N 325061085 N 535567193 N 726123913 Y 476736304 N 347409934 N 348150928 N 478966020 N 34
System A Table 15
Sensitive Relationship Discovery
Code Name53 Streptococcus pyogenes72 Pregnancy 32 Alzheimer Disease47 H1N134 Dermatamycoses
System Z Table 25
Number Name4600986 AlexFulltheim8150928 BarneySolo6736304 BillAlexander3802468 BobSmith5567193 EileenKratchman7409934 FredSimpson6123913 GregLougainis5061085 JamieSlattery4182715 JimJohnson8966020 MartinAston
System A Table 1Number Name3544600986 Alex Felltham5728150928 Barney Solo3786736304 Bill Alexander6783802468 Bob Smith4035567193 Eileen Ranchman8037409934 Fred Simpson4306123913 John Smith9525061085 Jamie Slattery4594182715 Jim Johnson1288966020 Martin Aston
System A Table 1
Patient ID # embedded within another field
Compound sensitive data: Test results could potentially be revealed.
Relationships and sensitive data can’t always be found with simple data scan
– Sensitive data can be embedded within a field
– Sensitive data could be revealed through relationships across fields & systems
When dealing with hundreds of tables and millions of rows, this search is complex
© 2012 IBM Corporation
Information Management
11
Protecting data is both an external and internal issue
Prevent “power users” from abusing their access to sensitive data
– DBA and power users
Prevent authorized users from misusing sensitive data
– Third-party or off-shore developers
Prevent intrusion and theft of data
– Theft of backup back-up tape
– Hacker
– Database vulnerabilities (user id with no password or default password)
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and Privacy
© 2012 IBM Corporation
Information Management
12
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyAutomated data redaction protects
unstructured data
Redact (or remove) sensitive unstructured data found in documents and forms, protecting confidential information while supporting the need to share
Leverage an automated redaction process for speed, accuracy and efficiency– Redact hidden source data (or metadata) within documents
Prevent unintentional disclosure using role-based redaction
Ensure multiple file formats are support, including PDF, text, TIFF and Word
Redact Full Name& Street Address
© 2012 IBM Corporation
Information Management
13
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and PrivacyData masking protects structured data
DefinitionMethod for creating a structurally similar but inauthentic version of an organization's data. The purpose is to protect the actual data while having a functional substitute for occasions when the real data is not required.
RequirementEffective data masking requires data to be altered in a way that the actual values cannot be determined or reengineered, functional appearance is maintained.
Other Terms UsedObfuscation, scrambling, data de-identification
Commonly masked data typesName, address, telephone, SSN/national identity number, credit card number
Methods– Static Masking: Extracts rows from production databases, obfuscating data
values that ultimately get stored in the columns in the test databases– Dynamic Masking: Masks specific data elements on the fly without touching
applications or physical production data store
© 2012 IBM Corporation
Information Management
14
Statically mask data in non-production databases
Patient No 123456SSN 333-22-4444Name Erica SchaferAddress 12 Murray CourtCity AustinState TXZip 78704
Patient No 112233SSN 123-45-6789Name Amanda WintersAddress 40 Bayberry DriveCity ElginState ILZip 60123
Statically mask
Mask data in non-production databases such as test and development Improve security of non-production environments
Facilitate faster testing processes with accurate test data Support referential integrity
Mask custom and packaged ERP/CRM applications
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and Privacy
© 2012 IBM Corporation
Information Management
15
Mask data in applications
Programmatically mask
Patient InformationPatient Information
Patient No. SSN
Name
Address
City State Zip
Patient No. SSN
Name
Address
City State Zip
112233 123-45-6789
Amanda Winters
40 Bayberry Drive
Elgin IL 60123
Patient No 123456SSN 333-22-4444Name Erica SchaferAddress 12 Murray CourtCity AustinState TXZip 78704
Ensure valid business need to know to sensitive data Mask data in real time to respond to suspicious activities
Promote role based approach to data access
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and Privacy
© 2012 IBM Corporation
Information Management
16
Protect online and offline data with encryption
Decrypt
Encrypt
John Smith401 Main Street Apt 2076
Austin, TX 78745-4548
John Smith401 Main Street Apt 2076
Austin, TX 78745-4548
*&^$ !@#)(~|” +_)? $%~:>>
%^$#%&, >< <>?_)-^%~~
*&^$ !@#)(~|” +_)? $%~:>>
%^$#%&, >< <>?_)-^%~~Personal identifiable information is encryptedmaking it meaningless without a proper key.
• Encryption transforms data to make it unreadable except to those with a special key
• Encrypted data is meaningless so unauthorized access causes no harm
• Original data is preserved so encryption is an ideal choice for protecting production environments
Understand &Define
Monitor & AuditSecure &
Protect
Information Governance Core DisciplinesSecurity and Privacy
© 2012 IBM Corporation
Information Management
17
What happens with compliance complacency?Understand &
DefineSecure &Protect Monitor
& Audit
Information Governance Core DisciplinesSecurity and Privacy
Regulatory fines – No audit report mechanism– No fine grain audit trail of database activities
Inability to detect data breaches– Lack of awareness of suspicious access patterns– On-going vs. single-invent: problems identifying
patterns of unauthorized use
Not able to monitor super user activity – Unable to detect intentional and unintentional events
Most organizations do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information [in business applications] … Fewer than two out of five respondents said they could prevent such tampering by super users.
-- Independent Oracle User Group
“
© 2012 IBM Corporation
Information Management
18
Streamline and simplify compliance processesUnderstand &
DefineSecure &Protect Monitor
& Audit
Information Governance Core DisciplinesSecurity and Privacy
Alerts for suspicious activities
Audit reporting and sign-offs– user activity– object creation– database configuration– entitlements
Separation of duties – creation of policies vs. reporting on application of policies
Trace users between applications, databases
Fine grained-policies
Sign-off and escalation procedures
Integration with enterprise security systems (SIEM)
Ensure role separation, and use solutions that can deliver role-based reports, alerts, and controls
-- Why Enterprise Database Security Strategy Has Become Critical, Forrester Research, Inc, July 13, 2011“
© 2012 IBM Corporation
Information Management
19
InfoSphere Guardium continues to demonstrate its leadership
October 26, 2007: Guardium named a Leader in Forrester
Wave: Enterprise Auditing and Real-Time Protection
Source: The Forrester Wave™: Database Auditing And Real-Time Protection, Q2 2011, May 6, 2011. The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed
spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
2011
© 2012 IBM Corporation
Information Management
20
InfoSphere Platform for data security and compliance
Allows you to …• Customer streamlines testing and
protects test data saving $240K/year in administrative costs
Reduce the cost of compliance
Prevent data breaches
Ensure data integrity
The Difference
• Completely protects across diverse data types and environments
• Scales across small and large heterogeneous enterprises
• Delivers both processes and technologies
• Organizations complete audits 20% faster saving about $50,000 per year
• Monitoring database activity protects data and provides 239% ROI
InfoSphere Guardium
InfoSphere Optim
InfoSphere Discovery
Holistic Scalable Integrated